Update 2: Clear cookies / cache and re-login. I can confirm we were NOT impacted by the security vulnerability but I have restricted sign ups and cleared existing logins. Security patch applied.

We were not impacted by the security incident. However, we do have a suspicious sign-up which I’ll be investigated. I have made sure there’s no custom emoji (attack vector) and will apply the patch as soon as possible (edit it’s been applied).

Browsing malicious posts from remote instances WILL NOT compromise your account. Just in case, I’ve also remove these posts from the database.

Stay tuned for more updates.

Update 1: Yiffit.net should not have been impacted by the recent security vulnerability. I’m investigating.

Hello, we should not have been impacted since we don’t have custom emoji. We did have one emoji, but I removed it hours ago.

I do have one suspicious sign up request. I’m investigating and will potentially invalidate everyone’s session so you might need to login again.

Also, my login credentials as admin to Yiffit are completely different to the ones to the server. If my account here were to be compromised an attacker would not get access to the server.

  • Alexmitter@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Do you know how it did work? I see it seems to be related to custom emojis, that sounds like a interesting attack vector to me.

    • Wander@yiffit.netOPM
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I haven’t been able to look deeper into it, but for some reason the user input wasn’t properly sanitized when a custom emoji from one local’s instance was used.

      I’ve got a few meetings now, but will try to look more into later.